PHI Disclosures on Yelp Lead to $10,000 Penalty

Elite Dental Associates has agreed to settle a HIPAA violation case with the Department of Health and Human Services’ Office for Civil Rights in relation to the impermissible disclosure of multiple patients’ protected health information (PHI) as a reaction of patient reviews on the Yelp review online portal.

Elite Dental Associates is privately-owned dental practice, located in Texas, that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR was sent a complaint from an Elite patient about a social media HIPAA violation. The patient alleged that the dental practice had replied to a review she left on Yelp and publicly shared some of the PHI.

When replying to the patient’s June 4, 2016 post, Elite shared the patient’s last name along with details of her health condition, treatment details, insurance, and cost data.

The investigation confirmed that to be so, but also ruled that it was not the first time that PHI had been shared without authorization on the social media platform when answering patient reviews. Additional impermissible PHI disclosures were seen on the Elite review page.

Along with the impermissible disclosures of PHI, which breached 45 C.F.R. § 164.502(a), OCR ruled Elite had not put in place policies and procedures linked to PHI, in particular the release of PHI on social media and other public platforms, in breach of 45 C.F.R. § 164.530(i). Elite was also found not to have included the minimum required content in its Notice of Privacy Practices as necessary under the HIPAA Privacy Rule (45 C.F.R. § 164.520(b)).

OCR agreed to pay a HIPAA breach fine of $10,000 and implement a corrective action plan (CAP) to resolve the alleged HIPAA violations and settle the case with no admission of liability. The three possible HIPAA violations could have attracted a much higher financial penalty; however, when considering an appropriate financial fine, OCR took the financial role of the practice, its size, and Elite’s cooperation with the OCR review into account.

OCR Director, Roger Severino said: “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”


Author: Security News